Have you ever sent your social security number in an email? Maybe not. But could someone tell where you bank from your emails? Most likely. A lot of us don’t think twice about the identity trail we leave in emails. But your email is a goldmine of information. Here are some of the events that can, and often do, transpire after someone’s email is compromised.
1. Trick You Into Thinking You Changed Your Password
Chances are if someone got your credentials, you fell for a phishing scam. Don’t be ashamed. Phishing schemes are sophisticated tools used by well-funded criminal networks around the world. They know exactly what to say and how the email should look to get you to fall for it. They often use tactics to evoke emotion. Emotion bypasses your logical mind that would think something’s “phishy”.
These emails may spoof a company that you get emails from all the time like Microsoft, Google, or Facebook. They may tell you your account has been compromised and that you should click a link in the email to change your password. Except the link goes to a spoof website that looks exactly as it should. Without thinking about it, you enter your current password. And worse yet, if you used the same password on multiple websites, they may now have access to your bank accounts, retirement, Amazon, and more.
Often criminals attack you when you least expect it. So they may create a phishing scam on a low-security website hoping you also used that password on high-security accounts.
2. Download Your Emails
You may have this picture of a criminal searching your emails one by one trying to find something they can use. But the truth is much more sinister. They can download all of it as soon as they get into your account. Then they have all of the time in the world.
So, even if you realize fairly quickly what has happened, they’ve got what they want.
3. Use Software to Find Information
You may think that private information is a needle in a haystack. What are the chances they would find it? Know that criminals use specialized software to scan your emails for keywords, companies, and types of documents that may have the information they can use to harm you or those around you.
4. Send Phishing Emails to Your Grandmother
This criminal now has your contacts so they can easily send emails (or other communications) to your grandmother or a person who may be less tech-savvy. These emails may say you’re in trouble and ask the vulnerable recipient to send money. They’re customized based upon the relationship between you and the other person.
This criminal can “sound” just like you in an email because they have all of your emails.
5. Send Embarrassing Photos or Emails to Others
A criminal doesn’t have to personally know you to think it would be funny to send an email to your boss or a client that includes compromising images from your email or another account.
6. Send Phishing Emails to Your Co-workers Or Boss
They could also steal your boss’, co-workers’, or clients’ information by making it appear to come from you. Phishing is the gift that keeps on giving.
7. Find Out Where You Keep Your Money
Chances are you get or receive emails from your bank, credit card companies, Paypal, Venmo, investment websites, and more. These narrow down the targets for the criminal. Most people would be devastated if someone wiped out their retirement. But what about two-step authentication? At least that protects you. Think again. Often criminals can piece together what they need through your email, social media, other websites to get past these roadblocks.
8. Ask an Associate to Change Payment Destination or Send Payment
Do you manage people who have access to the purse strings of a company? Or does a client owe you money? A criminal can hijack this process, getting someone to send a large sum of money to an untraceable series of accounts, often in multiple countries. Stopping or reversing a transaction like this is nearly impossible.
9. Use Social Engineering to Force Your Hand
Often these criminals use a technique called social engineering to get people to send money. Social engineering taps into the average person’s desire to please others, follow a boss’ instructions, and do other very human things. For example, in many companies, not following a direct order would be insubordination, so the criminal may use language that makes an employee fear not following instructions promptly.
Alternatively, they may send a lower-level employee an email from an account that appears to be coming from someone in C-suite that the employee doesn’t directly know. This fake C-suite person asks the employee for help because the boss is unavailable. This employee wants to impress C-suite, so they comply. If you are in upper management, they can do this to your employees in your name.
10. Work Their Way Up Through an Organization to Get What They Want
If the criminal still has access to your business account, they can send even send emails directly from “you”, making it seem even more authentic. That’s called Business Email Compromise.
Using social engineering, a criminal could gain access to a C-suite account by pretending to be from the IT department, for example. Once a criminal has just one email account within a company, they can work their way up an organization. Eventually, they get to the email accounts of the decision-makers.
